File name: | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe |
Full analysis: | https://app.any.run/tasks/28a70d0e-e313-4bec-af64-39869ec54ebf |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | January 10, 2025, 20:39:53 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 0A7F88A22AE393BE6AAF81E99911559E |
SHA1: | 618BD53DCB394611C6EE90199ABE534D40DD6958 |
SHA256: | 41877F9E09AAE067DC58C6B1E29DA9D93F0773B742F1E59E6175FE57DDF052AE |
SSDEEP: | 98304:8+7IIYN3A1dUKW83me3qNNW0DVU3aNkHTdvqlG9ehlzEJAuufVuVHvzULQkHYJLP:VkTb8 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x32b000 |
UninitializedDataSize: | - |
InitializedDataSize: | 104960 |
CodeSize: | 321024 |
LinkerVersion: | 14.24 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2024:07:25 12:10:38+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5864 | "C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe" | C:\Users\admin\Desktop\41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
5096 | "C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe" | C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(5096) axplong.exe C2185.215.113.16 URLhttp://185.215.113.16/Jo89Ku7d/index.php Version4.41 Options Drop directory44111dbc49 Drop nameaxplong.exe Strings (119)lv: kernel32.dll GET && ?scr=1 4.41 ------ exe Doctor Web wb Sophos ESET Programs %-lu abcdefghijklmnopqrstuvwxyz0123456789-_ av: un: -executionpolicy remotesigned -File " Content-Type: multipart/form-data; boundary=---- \0000 Content-Type: application/x-www-form-urlencoded rundll32 44111dbc49 pc: DefaultSettings.XResolution -- ar: 2016 id: ::: Startup SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders dm: SYSTEM\ControlSet001\Services\BasicDisplay\Video cred.dll|clip.dll| " og: &unit= rundll32.exe " && ren /k Avira <d> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 360TotalSecurity "
Content-Type: application/octet-stream os: axplong.exe SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -unicode- %USERPROFILE% zip /quiet # CurrentBuild Powershell.exe cmd DefaultSettings.YResolution Main ProductName msi SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce dll rb r= clip.dll SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ VideoID POST Content-Disposition: form-data; name="data"; filename=" 2019 /Plugins/ 2022 d1 Norton " && timeout 1 && del .jpg ps1 shutdown -s -t 0 sd: ProgramData\ e0 185.215.113.16 bi: -%lu GetNativeSystemInfo e2 Comodo ComputerName ------ st=s \App random 0123456789 Panda Security vs: shell32.dll https:// \ http:// Kaspersky Lab SOFTWARE\Microsoft\Windows\CurrentVersion\Run /Jo89Ku7d/index.php | AVG cmd /C RMDIR /s/q WinDefender "taskkill /f /im " +++ S-%lu- cred.dll AVAST Software && Exit" SOFTWARE\Microsoft\Windows NT\CurrentVersion Rem Bitdefender = e1 <c> | |||||||||||||||
4556 | "C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe" | C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226505 Modules
| |||||||||||||||
3840 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | legs.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1616 | "C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe" | C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe | legs.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
1328 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4556 -s 136 | C:\Windows\SysWOW64\WerFault.exe | legs.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5268 | "C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe" | C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2996 | "C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe" | C:\Users\admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe | am209.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(2996) defnur.exe C2185.215.113.209 URLhttp://185.215.113.209/Fru7Nk9/index.php Version5.04 Options Drop directoryfc9e0aaab7 Drop namedefnur.exe Strings (125)lv: kernel32.dll GET && ?scr=1 00000422 ------ exe Doctor Web wb Sophos ESET Programs %-lu abcdefghijklmnopqrstuvwxyz0123456789-_ av: un: -executionpolicy remotesigned -File " Content-Type: multipart/form-data; boundary=---- \0000 Content-Type: application/x-www-form-urlencoded rundll32 pc: DefaultSettings.XResolution -- ar: 2016 id: ::: 5.04 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup dm: SYSTEM\ControlSet001\Services\BasicDisplay\Video 00000423 cred.dll|clip.dll| " og: &unit= rundll32.exe fc9e0aaab7 " && ren 00000419 defnur.exe /k Avira <d> SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 360TotalSecurity "
Content-Type: application/octet-stream os: e3 0000043f SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName -unicode- %USERPROFILE% zip /quiet # CurrentBuild Powershell.exe cmd DefaultSettings.YResolution Main ProductName msi SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce dll rb r= clip.dll SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ VideoID POST Content-Disposition: form-data; name="data"; filename=" 2019 /Plugins/ 185.215.113.209 2022 d1 Norton " && timeout 1 && del .jpg ps1 shutdown -s -t 0 sd: ProgramData\ bi: -%lu GetNativeSystemInfo e2 Comodo ComputerName ------ st=s \App random 0123456789 Panda Security vs: shell32.dll https:// \ http:// Keyboard Layout\Preload Kaspersky Lab SOFTWARE\Microsoft\Windows\CurrentVersion\Run | AVG /Fru7Nk9/index.php cmd /C RMDIR /s/q WinDefender "taskkill /f /im " +++ S-%lu- cred.dll 2025 AVAST Software && Exit" SOFTWARE\Microsoft\Windows NT\CurrentVersion Rem Bitdefender = e1 <c> | |||||||||||||||
5316 | "C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe" | C:\Users\admin\AppData\Local\Temp\1010910001\696969.exe | axplong.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
|
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (5096) axplong.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2996) defnur.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (5316) 696969.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_legs.exe_b69dcd31991ac936315188b4a52a885c5ebfec_fdf40bfd_e89d49c0-6286-4fc8-8731-48d80fc2740f\Report.wer | — | |
MD5:— | SHA256:— | |||
1328 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\legs.exe.4556.dmp | — | |
MD5:— | SHA256:— | |||
1348 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_696969.exe_b364b07473c6281ded8b432832f7dffc980d0_d85faf26_a2a88736-f325-4d53-a734-79623dcc16f2\Report.wer | — | |
MD5:— | SHA256:— | |||
1348 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7937.tmp.WERInternalMetadata.xml | xml | |
MD5:9F85756BC40FB67C90BFE818A56FA942 | SHA256:12D4B97F3F2A2A4A747B436ED0CBBE17946B3592B156F7BFF95F0287C24367BF | |||
1348 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7957.tmp.xml | xml | |
MD5:DB3A89C4735CB811699283392606D07F | SHA256:1693DDE494D2C3CE8C61271A6576E1DD35F4E33AD0C1315154B0D773FE952836 | |||
1328 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA1F.tmp.WERInternalMetadata.xml | xml | |
MD5:36BCF3516079CB45F21B95DD9A2CA12D | SHA256:292E3D4BC617BFFE1B10F5C93C3FF37D62513377FD8C83101FB4D10DEFD543C4 | |||
5864 | 41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe | C:\Windows\Tasks\axplong.job | binary | |
MD5:D446F281DFEBA704B5320A0013F90407 | SHA256:14BC0492B14E482FD4D09B3AEA9CE72C69916C1FC623564FDED6F2AB82936503 | |||
1348 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER786A.tmp.dmp | binary | |
MD5:D59E08BA2054F1B22DCD87BBEADC0B91 | SHA256:5D7890348A8BD721786A97F5A78D7B0BFBBBA77850A96DEE9E279F98D714159E | |||
5096 | axplong.exe | C:\Users\admin\AppData\Local\Temp\1004899001\am209.exe | executable | |
MD5:CE27255F0EF33CE6304E54D171E6547C | SHA256:82C683A7F6E0B4A99A6D3AB519D539A3B0651953C7A71F5309B9D08E4DAA7C3C | |||
5096 | axplong.exe | C:\Users\admin\AppData\Local\Temp\1001527001\legs.exe | executable | |
MD5:A2697E928936F05710DFB331F982C917 | SHA256:2854E22091C01A1C1A9B654D7305EC7BEB0BCC703E161DBEF06AF7D9C401495B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5096 | axplong.exe | GET | 200 | 185.215.113.16:80 | http://185.215.113.16/test/am209.exe | unknown | — | — | malicious |
5316 | 696969.exe | GET | — | 135.181.65.216:80 | http://135.181.65.216/ | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5096 | axplong.exe | GET | 200 | 185.215.113.16:80 | http://185.215.113.16/inc/legs.exe | unknown | — | — | malicious |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
5096 | axplong.exe | POST | 200 | 185.215.113.16:80 | http://185.215.113.16/Jo89Ku7d/index.php | unknown | — | — | malicious |
3296 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3296 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5096 | axplong.exe | GET | 200 | 185.215.113.16:80 | http://185.215.113.16/inc/696969.exe | unknown | — | — | malicious |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3296 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3296 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3296 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5096 | axplong.exe | 185.215.113.16:80 | — | 1337team Limited | SC | malicious |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
pancakedipyps.click |
| malicious |
nearycrepso.shop |
| malicious |
abruptyopsn.shop |
| malicious |
wholersorie.shop |
| malicious |
framekgirus.shop |
| malicious |
tirepublicerj.shop |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |
— | — | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
— | — | A Network Trojan was detected | ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 |
— | — | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
— | — | Domain Observed Used for C2 Detected | ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) |
Process | Message |
---|---|
41877f9e09aae067dc58c6b1e29da9d93f0773b742f1e59e6175fe57ddf052ae.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
axplong.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|